Project risk

Risk Angles

Despite decades of experience with formalized project management methodology, widespread awareness of the need to identify and manage risks, and increasingly
sophisticated supportive technology, organizations still struggle to execute projects successfully. Problems such as cost overruns, missed deadlines, and failure to meet business requirements have become so frequent they are largely expected and, for the most part, accepted as the norm.

Q. Why do some organizations struggle with successful project execution?

A. Remember Einstein’s observation that insanity is doing the same thing over and over again and expecting different results? Many organizations continue to use the same one-size-fits-all project management methodologies even though they experience less-than-successful outcomes. We know that upwards of 60 percent of projects are challenged (meaning late, over budget, or delivered without meeting specifications) or fail outright (cancelled or never deployed).1 Clearly, the way projects are being executed most of the time is not working, and managing risks using traditional or legacy approaches is not producing its intended outcome.

Schedule delays, budget overruns, and scope creep are commonplace. So are their causes: decisions based on qualitative information and anecdotal references; lack of effective oversight from senior management and boards (until there’s a problem); paying lip service to risks without properly considering and addressing them; and inadequate or improperly scaled controls. Many organizations also have a tendency to focus on projects’ technical aspects and downplay their “soft” or social impacts. Change management continues to be underestimated and undervalued by organizations looking to race to the finish. Ambiguity and project assumptions may be identified in project charters but are rarely tied to execution plans or approaches.

Q. What are the risks of a project that fails to meet expectations, or worse, fails completely?

A. Many levels and nuances of risk come into play, including people risk, process risk, technology risk, and geographical/geopolitical risk. Consider, for example, the risk of not delivering as promised, or not enabling the benefit as promised. What effect could that have on your ability to execute strategies or to operate effectively — or even at all? Reputational risk can be a byproduct of these types of risks. Particularly with projects that are well-known, big-ticket, or controversial, issues such as cost-overruns, delays, or technology failures can quickly become fodder for criticism and negative publicity, both for the organization and its leaders.

Organizations typically think they have risks covered. Traditional project management methodologies include a risk management stream. Project managers will almost universally tell you they have a risk log for recording risks. People who pull together business cases will say they included risks and assumptions. But what often happens is that the risks aren’t actually addressed in a substantive way and are frequently not accounted for in the project budget.

Q. How can organizations mitigate project risk and more consistently execute successful projects?

A. A mindset shift is in order. There’s been a sort of “conspiracy of optimism” about project risk — the tendency to say everything will be fine, or simply using benchmarks and outdated data to explain deviations from original plans and budgets. Risks get minimized, put in a risk log, and forgotten about (until something goes wrong). Even then, organizations have come to accept project challenges and failures as a normal part of doing business. They’ll look backwards to see what went wrong in a project, but go ahead and use the same project methodology in the future.

Instead, organizations should be cultivating a mindset that says “success is the only acceptable outcome” and that to be successful on projects, we need to plan for success, control our performance, and manage risk. There’s a direct correlation between success and controls, as well as between project complexity and execution; however not all controls that work in one environment will work in others. As we become risk intelligent, we also need to become control efficient.

The use of analytics to sense and manage risks, predict project outcomes, and steer course corrections as projects unfold is an emerging project management approach. These analytics-based or Big Data-driven approaches to decision making are new enough that many organizations are skeptical about them, have yet to apply them, or are still figuring out how to use them effectively. But the organizations that are diving in are seeing significant benefits. Testing the waters with a proof of concept/pilot project is an effective way to see how analytics can work for your organization and decide if it’s worth implementing on a broader scale.

Predictive Project Analytics in action

Neil White, principal in Deloitte & Touche LLP’s Audit & Enterprise Risk Services (AERS) Advisory practice and a national leader in the Deloitte Analytics practice, takes a closer look at how some organizations are trying to reverse the status quo as project stakes continue to rise and the consequences of failure grow more severe. These leaders are approaching projects with greater skepticism and desire for independent, objective review in an effort to avert challenges and increase their likelihood of project success.

One of the newest approaches for driving consistent project success is project risk management powered by analytics, or Predictive Project Analytics (PPA). This is an innovation in practical, applied analytics that works with and complements existing project methodologies. PPA uses market intelligence — information gleaned from thousands of successfully completed projects of varying levels of complexity — to help companies understand how their project stacks up against this track record of success. It gives detailed insight into where they should make corrections and take specific actions to increase their likelihood of future success. It’s a diagnostic tool, a risk management tool, and a decision-making tool, useful for not only planning new projects but also turning around troubled projects.

As a proof of concept for PPA, a financial services organization focused on a high-visibility project at a critical junction. Its large-scale overhaul of key financial systems was experiencing significant milestone delays, due to challenges such as:

Inefficient governance, leading to unclear roles, lack of empowerment, and lack of integration between IT and finance.

The “leading-edge” nature of the technology, which led to extensive and often unexpected system development and configuration, and an inability to estimate the duration of tasks.

Insufficient impact analysis, meaning the team didn’t fully understand the project’s effects on various parts of the organization and wasn’t adequately prepared to handle them.

The reappearance of risks that were part of the business case, assumed to have been mitigated when the investment decision was made, and rapidly becoming costly issues.

The project’s high visibility and involvement of vital processes made it an obvious choice for the enterprise project management office (EPMO) to test PPA capabilities. Preliminary, informal risk reviews were complemented by in-depth PPA risk-based reviews of project complexity and execution practices. The analysis identified critical project risks and insufficient execution controls, and made actionable recommendations to remediate them. It also identified the need for additional support, which resulted in a prioritized list of actions and adjustments to turn around the project.

The proof of concept functioned as an informative introduction to PPA for the EPMO, demonstrating the value of PPA findings and their ability to complement and in some cases supplement EPMO project reviews. The project led to the development of an implementation roadmap to embed analytics within the EPMO to serve as a health check and gating checkpoints.

The organization has also used PPA to evaluate other critical projects. One was an in-progress, high-visibility project that the board wanted to assess prior to releasing additional funding. This analysis led to remediation of structural issues, assignment of additional project resources, and changes in key project personnel. Another was a planned multi-platform, multi-geography technology and organizational change initiative still under development. PPA analysis revealed under-investment in project controls, given the project’s higher-than-usual level of complexity, and made actionable recommendations to (1) remediate project management practices on issues that were becoming systemic, (2) identify appropriate controls given the project’s unique risk profile, and (3) set realistic expectations for project cost and schedule.

Ultimately the financial services organization was able to “move the needle” on project management performance by not accepting the status quo and looking to innovation to pave a new path forward.

Explore risk from every angle

Receive the latest thinking from Deloitte on a wide range of issues and ideas related to Governance, Risk and Compliance. Update your Deloitte profile and start receiving the latest insights on risk.

Explore risk from every angleReceive the latest thinking from Deloitte on a wide range of issues and ideas related to Governance, Risk and Compliance. Update your Deloitte profile and start receiving the latest insights on risk.

Explore risk from every angleReceive the latest thinking from Deloitte on a wide range of issues and ideas related to Governance, Risk and Compliance. Update your Deloitte profile and start receiving the latest insights on risk.

Explore risk from every angleReceive the latest thinking from Deloitte on a wide range of issues and ideas related to Governance, Risk and Compliance. Update your Deloitte profile and start receiving the latest insights on risk.

Explore risk from every angleReceive the latest thinking from Deloitte on a wide range of issues and ideas related to Governance, Risk and Compliance. Update your Deloitte profile and start receiving the latest insights on risk.

Explore risk from every angleReceive the latest thinking from Deloitte on a wide range of issues and ideas related to Governance, Risk and Compliance. Update your Deloitte profile and start receiving the latest insights on risk.

Explore risk from every angleReceive the latest thinking from Deloitte on a wide range of issues and ideas related to Governance, Risk and Compliance. Update your Deloitte profile and start receiving the latest insights on risk.

Explore risk from every angleReceive the latest thinking from Deloitte on a wide range of issues and ideas related to Governance, Risk and Compliance. Update your Deloitte profile and start receiving the latest insights on risk.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see About Deloitte for a detailed description of DTTL and its member firms.